Disqus May Not Have Been Hacked; But It Was Certainly Exploited

Now one of the journalists, Martin Fredriksson, has told The Local, "the unmasking of a few thousand users behind pseudonyms used on far-right sites in Sweden could just be the tip of the iceberg." Their project, which started back in February 2013, also highlights the grey area between research and hacking – their process was similar in concept to how Andrew Auernheimer (aka 'weev') obtained the e-mail addresses of iPad users from AT&T in 2010. Auernheimer was later found guilty of offenses under the Computer Fraud and Abuse Act in the US, and imprisoned.

But like Auernheimer, Fredriksson did not, in his own terms, actively hack Disqus. Instead the group used a freely available part of the Disqus service. "We used an open Disqus API protocol to obtain the data," he told The Local. He then wrote a script to automate the process. "You usually get around 100 comments with one request, but our system was able to send ten requests at once," he explained.

The result is that his group is now sitting on a database of 29 million supposedly anonymous comments from sites that use the Disqus system – such as CNN, The Telegraph, ABC News, and The Jerusalem Post, as well as from mainstream Swedish news sites such as Svenska Dagbladet, SVT Debatt, and The Local itself.

"Members of the Research Group quickly realized, however," reports The Local, "that the data they received also came with metadata that included the email addresses tied to anonymous Disqus accounts."

"We got a lot of data we probably weren't supposed to get," said Fredriksson, emphasizing that the group used no illicit methods but simply made use of a flaw in the Disqus security.

Disqus sort of agreed. "Disqus has not been cracked," said Stephen Roy, VP marketing in a blog statement. "No emails were leaked by Disqus. Disqus offers an API service that includes MD5 hashes of email addresses in order to use Gravatar, a commonly used third party service that enables users to display a consistent avatar across platforms." He added that what Fredriksson did was "a breach of our privacy guidelines."

For his part, Fredriksson stressed that he 'didn't even use any account for this, and never had to agree on any terms of service.' "We are researchers and they cannot blame us for researching openly available data. I think the bad guys are those who handle our personal information so carelessly," he told The Local.

It is a continuing grey area. Where does research end and hacking begin? It is behavior almost certainly in contravention of the US Computer Fraud and Abuse Act – but it is little different to what security researchers do all the time. In this instance it is complicated by the nature of the Swedish investigative journalists. Their primary motivation was almost certainly political research rather than security research. Nevertheless, they exposed, and have therefore improved, a major security flaw.